The $16 million is based on $1,000 per person with approximately 16,000 patients affected by the UCLA data breach reported last month. If you'll recall, UCLA Hospitals had announced a data breach when a former employee's home was broken in to and a hard drive was stolen. The device's contents, protected health information, had been guarded with hard drive encryption software; however, the password to it had also been stolen with the device, apparently.
When I blogged about the original data breach, I kept asking, what's a former employee doing with protected health information (PHI)? This, apparently, is the key question on which the lawsuit revolves. According to the lawyer who filed the suit (law.com): "Our argument is, at this point, why in the world did this doctor have this in the first place? Why was he carrying it around? Why did he take it home?" Kabateck said. "The statue was designed specifically to tell and instruct medical providers. 'You've got a heightened standard. You've got to do more than treat it like information at a company that sells copy machines.' It's not a customer list. It's critical confidential patient information." The statute mentioned above is the California Confidentiality of Medical Information Act. Under that law, each patient can "recover $1,000 in statutory damages per occurrence." UCLA had noted, when the breach initially made the news, that the employee "maintained the information on the device in order to perform necessary UCLA job duties." Which is weird. How do you part ways with an employee...but not really? I guess, hire them as a consultant. In which case, did UCLA draft up a new contract with the doctor? I'm not a lawyer, but I guess things will revolve around whether the doctor who parted ways with UCLA had some kind of contract with the hospital delineating patient data security. After all, a doctor taking patient data home is not unusual in of itself (HIPAA and other laws allow for it, as far as I can tell). However, a doctor who's parted ways with the hospital?
When I blogged about the original data breach, I kept asking, what's a former employee doing with protected health information (PHI)? This, apparently, is the key question on which the lawsuit revolves. According to the lawyer who filed the suit (law.com):
"Our argument is, at this point, why in the world did this doctor have this in the first place? Why was he carrying it around? Why did he take it home?" Kabateck said. "The statue was designed specifically to tell and instruct medical providers. 'You've got a heightened standard. You've got to do more than treat it like information at a company that sells copy machines.' It's not a customer list. It's critical confidential patient information."
The statute mentioned above is the California Confidentiality of Medical Information Act. Under that law, each patient can "recover $1,000 in statutory damages per occurrence."
UCLA had noted, when the breach initially made the news, that the employee "maintained the information on the device in order to perform necessary UCLA job duties." Which is weird. How do you part ways with an employee...but not really? I guess, hire them as a consultant. In which case, did UCLA draft up a new contract with the doctor?
I'm not a lawyer, but I guess things will revolve around whether the doctor who parted ways with UCLA had some kind of contract with the hospital delineating patient data security. After all, a doctor taking patient data home is not unusual in of itself (HIPAA and other laws allow for it, as far as I can tell). However, a doctor who's parted ways with the hospital?
As you'll notice in the law.com article, there is not an iota about HIPAA breaches. The reason for this, I imagine, is because patients can't sue and win under HIPAA (as far as I know). However, the California Confidentiality of Medical Information Act, passed in 2000 (I think; I couldn't find a conclusive date) allows for civil penalties. For example, the unauthorized disclosure of genetic test results can result in fines of up to $1,000 or $5,000, depending on whether it was willful or neglectful In this case, it appears the lawyer is referring to section 56.36(b): In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. The amount of actual damages, if any, sustained by the patient. However, there are caveats. From section 56.36(d): In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the licensing agency or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following: Whether the defendant has made a reasonable, good faith attempt to comply with this part. The nature and seriousness of the misconduct. The harm to the patient, enrollee, or subscriber. The number of violations. The persistence of the misconduct. The length of time over which the misconduct occurred. The willfulness of the defendant's misconduct. The defendant's assets, liabilities, and net worth. People who comment and analyze HIPAA issues always include an observation that there are other laws and regulations, in addition to HIPAA, that one has to pay attention to. Such as state laws. Now you know why.
As you'll notice in the law.com article, there is not an iota about HIPAA breaches. The reason for this, I imagine, is because patients can't sue and win under HIPAA (as far as I know).
However, the California Confidentiality of Medical Information Act, passed in 2000 (I think; I couldn't find a conclusive date) allows for civil penalties.
For example, the unauthorized disclosure of genetic test results can result in fines of up to $1,000 or $5,000, depending on whether it was willful or neglectful
In this case, it appears the lawyer is referring to section 56.36(b):
In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. The amount of actual damages, if any, sustained by the patient.
In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:
However, there are caveats. From section 56.36(d):
In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the licensing agency or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following: Whether the defendant has made a reasonable, good faith attempt to comply with this part. The nature and seriousness of the misconduct. The harm to the patient, enrollee, or subscriber. The number of violations. The persistence of the misconduct. The length of time over which the misconduct occurred. The willfulness of the defendant's misconduct. The defendant's assets, liabilities, and net worth.
In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the licensing agency or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following:
People who comment and analyze HIPAA issues always include an observation that there are other laws and regulations, in addition to HIPAA, that one has to pay attention to. Such as state laws. Now you know why.
Related Articles and Sites:http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202536123368&slreturn=1http://www.emotrics.com/people/milton/practice/privacy/confidentialitymedinfoact.html